I Moved My Site to SSL and the Sky Didn’t Fall

Google doesn’t often disclose ranking signals, but when they do the search marketing industry works itself into a tizzy. A perfect example is its recent announcement that going HTTPS could provide a slight rankings boost. All of a sudden I have seen hosting and domain registrar companies offering SSL certificates “to give that ranking boost.” Here’s one I saw on Twitter.

I’ve always hated hype in SEO. A good, solid, SEO strategy is one that rides the waves of change, doing the right things consistently over time.

What did intrigue me was this – one barrier to entry might not be the actual cost of “going HTTPS” but the time and potential SEO risk of screwing up your own rankings when “moving home.” If you get the redirects wrong, you could accidentally misdirect users to the wrong location, or no location at all! Formatting your .htaccess or web.config files incorrectly can cause a site to go down.

And, from an SEO perspective, inbound links not correctly attributed to the correct end URL can lose you valuable traffic and rankings potential. So I set up a test.

Reasons for the Test

I don’t believe in knee-jerk reactions in SEO, and so encourage fact/data driven decision-making model.

I wanted to see if our current keyword rankings would maintain (not increase) by going SSL.

In keeping with proper tests, we tried to keep as many other variables as stable as possible. Such as

No URL structure or content changes

No new links or projects launched at the time

No other marketing “push”

Steps Taken

These were the steps taken at the start of the test:

SSL Certificate installed and verified by our server administrator

URL rewriting to 301 redirect to the https version

Previously set up 301 redirects updated

Rel=“canonical” updated to the https version

HTTPS version authorized in Google Webmaster Tools

John Mueller confirmed during a Google+ Chat that you can’t use the normal “moving my site” tool in Google Webmaster Tools. This is an oversight Google probably should have sorted before making this announcement. But life isn’t perfect!

Results

Here is the path to the ultimate results. I have shortened my notes from each day, so you can get to the TL;DR as fast as possible.

We implemented all of the above and then waited.

Day 3

Despite no indication of HTTPS results being in the index yet, my Webmaster Tools showed the transition had started with historic data applying to HTTP being filtered into the authorised HTTPS account for our domain.

I also remembered that the sitemap.xml file needed updating (There’s always another file isn’t there?) This meant that I had not informed Google explicitly of the new URL structure. I also ensured the site map was re-submitted both on the HTTP and SSL-authorized sites in Webmaster Tools.

Interestingly, the Fetch and Render tool gave me an error fetching a Google Font. Okay, Google shouldn’t block their own font library in its own robots.txt, but that aside, it made me look again at my code. I was referencing the HTTP version in my header, when we don’t want to be sending both secure and insecure resources. So, I updated my LINK tag to pull in the HTTPS version accordingly.

Day 4

Movement! Hurrah! Granted, the only movement here was the home page being indexed as HTTPS, but that’s better than nothing, right? Also we had a ranking increase for one of our local search terms (the black line in the graph below).

But let’s not get hasty and inadvertently attribute this to switching to HTTPS. Remember that there has been much movement on the local search front recently with the so-called “Pigeon” update. In fact, if you look at our local terms (targets for home page only, since that was the one indexed) they have been gradually improving over July anyway. So was this the result of HTTPS? I don’t think the data suggests that at all.

Day 7

After a few days of barely any URLs switching over in the SERPs, today we finally saw some major movement with a high proportion (about 50%) of our non-blog pages transferring over to the search results.

Day 8

Today I tried to speed up the process by also migrating our WordPress blog – currently separate from our main site, by popping in some custom htaccess. Because htaccess can be defined on a per-folder basis and WordPress is installed into a folder, our blog had its own URL rules, separate to those of our site. So we had to update the folder’s rules.

What this meant was, once users (and search engines) landed on a blog page, they were automatically redirected to the HTTPS version. Rel=301 means it was a permanent redirect, which tells search engines to ditch the old URL in its index and replace it with our HTTPS one instead.

Day 11

Finally, most of our services pages have transferred over. Impressions and clicks dropped off on our HTTP version in GWT…

… and they are picking up in the HTTPS version.

(Please ignore our CTR% – we are working on that!)

What happened to our rankings? Here’s the graph for our Top 10 ranking keywords.

TL;DR

Here are some of my observations during this test:

Although it ought to be accurate, the number of URLs indexed and displayed in Google Webmaster Tools does not actually seem to match reality. Perform an inurl:https://www.yourdomain.com search to see which URLs have already migrated.

For some bizarre reason, it is possible to have both http and https versions ranking – the same page can have different listings for different keywords. We saw this, despite having 301 redirects and clear canonical designation in place,

You need to be patient to allow Google to re-index your site. Currently, Google re-indexes using Googlebot to crawl 301 redirects.

You can migrate safely to HTTPS without loss of rank if everything is done correctly: htaccess (or web.config for Windows servers), canonical, sitemap.xml, GWT authorisation – the lot.

In theory, you should update links to your site to point to the HTTPS version, but it would be somewhat remiss of Google to devalue incoming links to your domain based on protocol. Matt Cutts has said that 301’s pass the same value as links, but opinion is divided on this. From our experience changing domains, we have seen value from updating links. It would seem odd then, given that links represent an endorsement by Google in the past, that those same links would be devalued based on new protocol.

Check all folders for “rogue” htaccess files, they may all need updating!

It took nearly two weeks to move over to HTTPS, which is really slow and I genuinely hope that John Mueller and the team at Google get the “moving website location” tool to include the change of protocol if they want people to adopt this quickly and easily.

Final Thoughts

But, really, what is the problem with having an entirely encrypted Web? Sites willing to encrypt their communications are at least one step more trustworthy than those that don’t — not in the quality of content on the website, but how they treat users while they are browsing.

Why not treat all experiences on the Web with respect, regardless of any self-motivated reasons?

Great insight, thank you for sharing. Curious was there any change in the crawler chart for “Time spent downloading a page (in milliseconds)” after you switched to SSL

Martin Oxby

Hi George! Looking at it right now, there appears to be no noticeable difference in that graph at all. We will have to look after month 1 of being SSL if website speed itself per Analytics is much affected, but here’s the graph you were curious about:

Great write-up! Have you checked your analytics data to see if the share of direct visits has dropped and the share or organic and/or referred visits increased? Some browsers don’t send the referrer information when going from an HTTPS to HTTP site, but the referrer should be sent if the path is HTTPS to HTTPS (also, HTTP to HTTP or HTTP to HTTPS)

Martin Oxby

I will take a look once I’ve finished my other reports! Got your question and will get back to you

Martin Oxby

Direct traffic is actually up! 32% in the last 30 days from the previous 30 days. Of course, other factors may be at play with that. Organic traffic is down slightly, but nothing that doesn’t look like a ‘normal’ fluctuation.

Dave Culbertson

Well, that’s unexpected! I wonder if your direct traffic increase is equal across all browsers or more tied to a specific browser…

Martin Oxby

IE: +6%
Chrome: +10%
Firefox: +5%
Safari: -25%
Mozilla: +4%

Calculation: +6+10+5-25+4 = 0 (Data OK)

Does that help? Interesting about the 25% drop of Safari share. Might be something to do with iPads/iPhones where default is Safari. Not sure, been snowed under with client work to analyse our own data!

Dave Culbertson

Fascinating. And inconclusive. The wonderful world of analytics.

http://lutrov.com Ivan Lutrov

Have you reverted to using HTTP again? Because the page I’m on now isn’t using HTTPS.

Martin Oxby

Hi Ivan,

Which URL are you looking at, if I can ask? The main site’s pages are all SSL. Anything under /blog/ may still be HTTP as we are reviewing the whole site ahead of a redesign.

Apologies for the delay in getting back to you, been preparing for a large business exhibition the last couple of days

Sean Owens

Absolutely excellent article, its a huge amount of trouble to go to but hopefully worth it. I had completely forgotten also about the sitemap. We see the number of indexed pages dropping since we installed SSL. Wondering about reverting. I have to scan all my internal links to make sure they are all http too.

Martin Oxby

Don’t revert back – it’s worth looking through the issues. Especially ensuring your 301 Redirects are working properly, so that all inbound links maintain their value across to HTTPS.

Another challenge as you say internal links (which is why relative links are better) but also internal assets – images, PDFs/Downloads, videos etc to make sure you’re not serving some secure and some insecure content (this can flag up warnings to users).

If you need someone to have a look from the outside, I’m happy to help.

Hammy Havoc

When moving a site to HTTPS, it seems that social media share stats are lost, this isn’t great in terms of business/advertising, apparently Facebook and Google follow 301 redirects, what can be done for Twitter?

Martin Oxby

I’m not sure there is at this stage (though I’m open to someone correcting me). To be honest, the best thing you can do is update any short-links to https and any auto-sharing to https and start collecting stats. As ‘tweets’ are not a ranking factor, you can just collect them again, so you’re not any worse off.

Ryan

What if I have ecommerce shop and I have ssl set to checkout and cart? There is https and http verion in google webmaster. There was already added https mapsite. What it should be done to make things ok and do not have duplicate content? Should I redirect all other http requestes to https or just set canonical to https or to http ?

Martin Oxby

You probably don’t need to worry about duplicate content over checkout and cart pages. However, if you have moved to HTTPS then you really ought to use 301 Redirects and ensure rel=”canonical” is set correctly on those pages, then eventually Google will drop the HTTP versions out of the SERPs.

As for whether all your pages should be HTTPS, on e-commerce sites I would say yes to that. Users are still transmitting data by adding/removing products. Also if they have an account with your site then that login and all subsequent actions should be encrypted.

By that stage you have set so many sections to HTTPS that it would just make sense to move the whole thing over to SSL.

Hope this helps!

Ryan

What if I have ecommerce shop and I have ssl set to checkout and cart? There is https and http verion in google webmaster. There was already added https mapsite. What it should be done to make things ok and do not have duplicate content? Should I redirect all other http requestes to https or just set canonical to https or to http ?

Martin Oxby

You probably don’t need to worry about duplicate content over checkout and cart pages. However, if you have moved to HTTPS then you really ought to use 301 Redirects and ensure rel=”canonical” is set correctly on those pages, then eventually Google will drop the HTTP versions out of the SERPs.

As for whether all your pages should be HTTPS, on e-commerce sites I would say yes to that. Users are still transmitting data by adding/removing products. Also if they have an account with your site then that login and all subsequent actions should be encrypted.

By that stage you have set so many sections to HTTPS that it would just make sense to move the whole thing over to SSL.

Hope this helps!

Jai Aenugu

Hey, Great article. Thanks! I recently moved my wordpress site (spicydealzz) to https. It is authorised in GWT and GA but google is not indexing my site in GWT. Whenever I do ‘fetch as google’ it says redirected. Could you please advise?

Martin Oxby

The first place I would check is in the browser – if you put http in does it redirect the https – if not then that needs to be actioned.

With WordPress sites you’ll also need to make sure the two web address fields in Settings are https.

Also you will need to do a redirect all pages pattern matching in htaccess (or web.config on a Windows server) from http->https.

And lastly you do need to give Google time to drop old URLs and replace them with https ones. What’s the full URL please? I’m happy to take a really quick look for you.

Jai Aenugu

It is https spicydealzz (dot) in
I could not insert links in comments as it gets maked as SPAM for some reason. Thanks foe helping out.

Martin Oxby

From what I can see redirect is happening correctly and permanently (301 Redirect). So I would just be patient. Google will replace old URLs with new URLs over time.

If you have any rogue HTTP URLs which exist in 1-2 months then I would suggest doing a manual URL removal. But it seems correctly implemented at the moment.

Hey, Great article. Thanks! I recently moved my wordpress site (spicydealzz) to https. It is authorised in GWT and GA but google is not indexing my site in GWT. Whenever I do ‘fetch as google’ it says redirected. Could you please advise?

Start building beautiful campaign reports.

Sign up now for a free 30-day trial. No credit card now, no obligation later.